Factor out the legacy stack version checks.

Also check for explicit version numbers, rather than just the major version value. ok tb@
author: jsing <> 2021-02-07 15:04:10 +0000
committer: jsing <> 2021-02-07 15:04:10 +0000
commit: 1e3243705c6918de211100bcbd8ef0b8488d215e (patch)
tree: 39da1e539db935f3cc8ae0aeec4e7f7ceb5cc61e /src
parent: 5a642e2e581776f13874ce5444f9f27501465e56 (diff)
download: openbsd-1e3243705c6918de211100bcbd8ef0b8488d215e.tar.gz
openbsd-1e3243705c6918de211100bcbd8ef0b8488d215e.tar.bz2
openbsd-1e3243705c6918de211100bcbd8ef0b8488d215e.zip
4 files changed, 24 insertions, 28 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 4a6e8b06a8..25164ea012 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.76 2020/10/14 16:57:33 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.77 2021/02/07 15:04:10 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -212,18 +212,10 @@ ssl3_connect(SSL *s)
                        if (cb != NULL)
                                cb(s, SSL_CB_HANDSHAKE_START, 1);
-                        if (SSL_is_dtls(s)) {
+                        if (!ssl_legacy_stack_version(s, s->version)) {
-                                if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) {
+                                SSLerror(s, ERR_R_INTERNAL_ERROR);
-                                        SSLerror(s, ERR_R_INTERNAL_ERROR);
+                                ret = -1;
-                                        ret = -1;
+                                goto end;
-                                        goto end;
-                                }
-                        } else {
-                                if ((s->version & 0xff00) != 0x0300) {
-                                        SSLerror(s, ERR_R_INTERNAL_ERROR);
-                                        ret = -1;
-                                        goto end;
-                                }
                        }
                        /* s->version=SSL3_VERSION; */
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index d5298d7af1..b56a99bb79 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.318 2021/01/28 17:00:39 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.319 2021/02/07 15:04:10 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1115,6 +1115,7 @@ int ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver,
 int ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver,
    uint16_t *out_ver);
 int ssl_downgrade_max_version(SSL *s, uint16_t *max_ver);
+int ssl_legacy_stack_version(SSL *s, uint16_t version);
 int ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher);
 int ssl_cipher_allowed_in_version_range(const SSL_CIPHER *cipher,
    uint16_t min_ver, uint16_t max_ver);
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 3551ee41ee..15768bb565 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.90 2021/01/26 14:22:20 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.91 2021/02/07 15:04:10 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -213,19 +213,12 @@ ssl3_accept(SSL *s)
                        if (cb != NULL)
                                cb(s, SSL_CB_HANDSHAKE_START, 1);
-                        if (SSL_is_dtls(s)) {
+                        if (!ssl_legacy_stack_version(s, s->version)) {
-                                if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) {
+                                SSLerror(s, ERR_R_INTERNAL_ERROR);
-                                        SSLerror(s, ERR_R_INTERNAL_ERROR);
+                                ret = -1;
-                                        ret = -1;
+                                goto end;
-                                        goto end;
-                                }
-                        } else {
-                                if ((s->version >> 8) != 3) {
-                                        SSLerror(s, ERR_R_INTERNAL_ERROR);
-                                        ret = -1;
-                                        goto end;
-                                }
                        }
                        s->internal->type = SSL_ST_ACCEPT;
                        if (!ssl3_setup_init_buffer(s)) {
diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c
index c5de9d0cde..83d0d06af5 100644
--- a/src/lib/libssl/ssl_versions.c
+++ b/src/lib/libssl/ssl_versions.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_versions.c,v 1.8 2021/01/04 19:19:12 tb Exp $ */
+/* $OpenBSD: ssl_versions.c,v 1.9 2021/02/07 15:04:10 jsing Exp $ */
 /*
 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
 *
@@ -231,3 +231,13 @@ ssl_downgrade_max_version(SSL *s, uint16_t *max_ver)
        return 1;
 }
+int
+ssl_legacy_stack_version(SSL *s, uint16_t version)
+{
+        if (SSL_is_dtls(s))
+                return version == DTLS1_VERSION;
+        return version == TLS1_VERSION || version == TLS1_1_VERSION ||
+            version == TLS1_2_VERSION;
+}
author	jsing <>	2021-02-07 15:04:10 +0000
committer	jsing <>	2021-02-07 15:04:10 +0000
commit	1e3243705c6918de211100bcbd8ef0b8488d215e (patch)
tree	39da1e539db935f3cc8ae0aeec4e7f7ceb5cc61e /src
parent	5a642e2e581776f13874ce5444f9f27501465e56 (diff)
download	openbsd-1e3243705c6918de211100bcbd8ef0b8488d215e.tar.gz openbsd-1e3243705c6918de211100bcbd8ef0b8488d215e.tar.bz2 openbsd-1e3243705c6918de211100bcbd8ef0b8488d215e.zip